Which of the following approaches would meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
AnyCompany has acquired numerous companies over the past few years.The CIO for AnyCompany would like to keep the resources for each acquired company separate.The CIO also would like to enforce a chargeback model where each company pays for the AWS services it uses.The Solutions Architect is tasked with designing an AWS architecture that allows AnyCompany to achieve the following:✑ Implementing a detailed chargeback mechanism to ensure that each company pays for the resources it uses.✑ AnyCompany can pay for AWS services for all its companies through a single invoice.✑ Developers in each acquired company have access to resources in their company only.✑ Developers in an acquired company should not be able to affect resources in their company only.✑ A single identity store is used to authenticate Developers across all companies.

Which of the following approaches would meet these requirements?

(Choose two.)

Create a multi-account strategy with an account per company. Use consolidated billing to ensure that AnyCompany needs to pay a single bill only.

Create a multi-account strategy with a virtual private cloud (VPC) for each company. Reduce impact across companies by not creating any VPC peering links. As everything is in a single account, there will be a single invoice. Use tagging to create a detailed bill for each company.

Create IAM users for each Developer in the account to which they require access. Create policies that allow the users access to all resources in that account. Attach the policies to the IAM user.

Create a federated identity store against the company’s Active Directory. Create IAM roles with appropriate permissions and set the trust relationships with AWS and the identity store. Use AWS STS to grant users access based on the groups they belong to in the identity store.

Create a multi-account strategy with an account per company. For billing purposes, use a tagging solution that uses a tag to identify the company that creates each resource.

Explanations:

Creating a multi-account strategy with an account for each company allows for resource separation and individualized billing. Using consolidated billing, AnyCompany can receive a single invoice that includes charges for all accounts, meeting the requirement for centralized payment.

While creating a VPC for each company in a single account reduces impact across companies, it does not provide resource separation needed for security and billing. Additionally, having a single account means there will not be individual invoices for each company, which violates the chargeback requirement.

Creating IAM users for each Developer in a single account does not achieve the goal of isolating resources per company. This approach allows developers to potentially access or affect resources in other companies’ environments, failing to enforce resource boundaries.

A federated identity store with IAM roles allows for centralized authentication and authorization, enabling developers to access only the resources relevant to their company. By setting trust relationships with the identity store, permissions can be managed effectively based on group memberships.

While a multi-account strategy with an account per company is correct, relying on tags within a single account for billing fails to meet the requirement of charging back to individual companies accurately, as all resources would be in one account without separate invoices.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 + fourteen =